b5a7fc38aa
In a cloud environment instance images are typically cloned. This implies that the credentials used by the Cloudbase-Init service, even if randomly generated, are identical across instances of the same image, unless replaced during boot, e.g. by the post-sysprep specialize actions. Since this cannot be controlled in cases in which sysprep or similar mechanisms are not used (e.g. a Nova image snapshot), this patch adds a mechanism to reset the Cloudbase-Init service password at each execution. This avoids potential "pass the hash" type of attacks executed from user-data across instances booted from the same image. Change-Id: Ib778acc4c01f476c600e15aa77ed777523a77538 Closes-Bug: #1631567 Co-Authored-By: Adrian Vladu <avladu@cloudbasesolutions.com> Co-Authored-By: Alexandru Coman <acoman@cloudbasesolutions.com>
28 lines
935 B
Python
28 lines
935 B
Python
# Copyright 2013 Cloudbase Solutions Srl
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
class FakeComError(Exception):
|
|
|
|
def __init__(self):
|
|
super(FakeComError, self).__init__()
|
|
self.excepinfo = [None, None, None, None, None, -2144108544]
|
|
|
|
|
|
class FakeError(Exception):
|
|
|
|
def __init__(self, msg="Fake error."):
|
|
super(FakeError, self).__init__(msg)
|
|
self.winerror = None
|